2 # this script generates a set of sample keys
7 [ -f config ] && . ./config
10 rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
13 ####### create various extensions files for the various certificate types ######
15 basicConstraints = CA:true
16 subjectKeyIdentifier = hash
17 keyUsage = keyCertSign, cRLSign
18 crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl
19 authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt
22 cat <<TESTCA > subca.cnf
23 basicConstraints = CA:true
24 subjectKeyIdentifier = hash
25 keyUsage = keyCertSign, cRLSign
26 crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl
27 authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt
30 cat <<TESTCA > req.cnf
31 basicConstraints = critical,CA:false
32 keyUsage = keyEncipherment, digitalSignature
33 extendedKeyUsage=serverAuth
34 subjectKeyIdentifier = hash
35 authorityKeyIdentifier = keyid:always,issuer:always
36 #crlDistributionPoints=URI:http://www.my.host/ca.crl
37 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
40 cat <<TESTCA > reqClient.cnf
41 basicConstraints = critical,CA:false
42 keyUsage = keyEncipherment, digitalSignature
43 extendedKeyUsage=clientAuth
44 subjectKeyIdentifier = hash
45 authorityKeyIdentifier = keyid:always,issuer:always
46 #crlDistributionPoints=URI:http://www.my.host/ca.crl
47 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
50 cat <<TESTCA > reqMail.cnf
51 basicConstraints = critical,CA:false
52 keyUsage = keyEncipherment, digitalSignature
53 extendedKeyUsage=emailProtection
54 subjectKeyIdentifier = hash
55 authorityKeyIdentifier = keyid:always,issuer:always
56 #crlDistributionPoints=URI:http://www.my.host/ca.crl
57 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
60 genKey(){ #subj, internalName
61 openssl genrsa -out $2.key ${KEYSIZE}
62 openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
66 genca(){ #subj, internalName
69 genKey "$1" "$2.ca/key"
72 echo 01 > $2.ca/serial
74 echo unique_subject = no >$2.ca/db.attr
78 caSign(){ # csr,ca,config
80 openssl ca -cert key.crt -keyfile key.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
85 caSign "$1.ca/key" root subca.cnf
89 cat <<TESTCA > timesubca.cnf
90 basicConstraints = CA:true
91 subjectKeyIdentifier = hash
92 keyUsage = keyCertSign, cRLSign
93 crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl
94 authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt
96 caSign $1 $2 timesubca.cnf
100 genserver(){ #key, subject, config
101 openssl genrsa -out $1.key ${KEYSIZE}
102 openssl req -new -key $1.key -out $1.csr -subj "$2"
103 caSign $1 env15_1 "$3"
105 openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
110 # Generate the super Root CA
111 genca "/CN=Cacert-gigi testCA" root
112 openssl x509 -req -days 365 -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf
114 # generate the various sub-CAs
115 genca "/CN=Environment" env
117 genca "/CN=Unassured" unassured
119 genca "/CN=Assured" assured
121 genca "/CN=Codesigning" codesign
123 genca "/CN=Orga" orga
125 genca "/CN=Orga sign" orgaSign
128 genca "/CN=Environment 2015-1" env15_1
129 genTimeCA env15_1.ca/key env
130 genKey "/CN=Unassured 2015-1" unassured15_1
131 genTimeCA unassured15_1 unassured
133 cat env15_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt
135 # generate environment-keys specific to gigi.
136 # first the server keys
137 genserver www "/CN=www.${DOMAIN}" req.cnf
138 genserver secure "/CN=secure.${DOMAIN}" req.cnf
139 genserver static "/CN=static.${DOMAIN}" req.cnf
140 genserver api "/CN=api.${DOMAIN}" req.cnf
142 # then the email signing key
143 genserver mail "/emailAddress=support@${DOMAIN}" reqMail.cnf
145 # then environment-keys for cassiopeia
146 genserver signer_client "/CN=CAcert signer handler 1" reqClient.cnf
147 genserver signer_server "/CN=CAcert signer 1" req.cnf
149 rm ca.cnf subca.cnf req.cnf reqMail.cnf reqClient.cnf
151 for local in www secure static api signer_client signer_server mail; do
152 openssl verify -CAfile root.ca/key.crt -untrusted env.chain.crt $local.crt